The Future of Security: A Roundtable
Kevin Poulsen

We Need a Basic Set of User Rights

Protecting user data is non-negotiable if we want the internet to flourish.

Companies today do little to protect sensitive user data in applications and Internet-connected devices. This lack of attention leaves users highly vulnerable.

Michael Coates, Trust and Security Officer / Twitter

The root cause is the absence of a uniform requirement for basic security controls to protect user data. It is unfathomable that an application or device can be created and adopted by millions that fails to encrypt communications with TLS, has rampant vulnerabilities in the application or lacks fundamental security controls on backend servers. Yet this behavior is commonplace.

Users should not have to petition companies to implement security or fix egregious vulnerabilities. The protection of sensitive user data should be backed by regulation that has teeth.

Legislation should not be used to dictate technical choices, but we need a basic set of user rights for security of user data that is backed by regulation. This does not have to be complex. If an application handles sensitive user information then it is required to:

  1. Maintain an application, back end server, and services that are free from vulnerabilities that put sensitive data at risk
  2. Encrypt sensitive data in transmission
  3. Address and patch detected vulnerabilities in a reasonable time period
If we wish for the Internet to continue to flourish, the protection of user data must be a non-negotiable requirement for all applications.

Ten years from now, I predict that the largest risk to society will be attempts to criminalize or undermine privacy protecting technology.

The existence of technologies such as Tor and encryption is crucial to protect individuals living in nations where free expression is not guaranteed and the expression of an idea can place an individual at risk. Technology has empowered many to share views on topics that would otherwise be hidden from worldwide awareness.

To ensure such technologies continue to operate we need a concerted effort from industry to welcome users from Tor and similar technologies. Spam, malware or abusers that attempt to piggyback on privacy-preserving technology must be sought out individually, without broadly applying adverse impacts to a single technology.

Technology will enable a wide number of potential futures. Let’s use this technology to protect those who are oppressed and enable freedom of expression across the world.

The Future of Security Roundtable is a Google-sponsored initiative that brings together thought leaders to discuss how we can best protect ourselves from the data breaches and security risks of tomorrow. Panelists are not affiliated with Google, and their opinions are their own. Read the post that kicked off the roundtable here and feel free to join in the conversation.